Thread Info
  • State Not Answered
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 6 replies
  • Subscribers 5 subscribers
  • Views 15654 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Possible SSL split attack according to McAfee Mobile Security

alan weir

Possible SSL Split attack, according to McAfee Mobile Security
I logged into my wifi this morning on my Android device and an alert from Mcafee Security informed me that I was under an SSL split attack. I disabled the SophosGuest wireless network, created a secure WPA2 passphrase, then connected again and the issue still persists. I don't really know where to begin as I'm not sure if its an infected client or if the Sophos UTM has been compromised.

I also downloaded the "wifi security checker" app and performed a scan while connected to the supposedly compromised connection, and everything passes fine.

I have Web filtering (dual antivirus), Intrusion detection, firewall enabled, but I had a pretty weak wifi password. Now, after changing it to a more secure password, Mcafee still alerts me to an SSL split attack.

I also downloadd "ARP Guard" and after connecting to the wireless AP it immediately alerted me to an ARP spoofing detected.

Is there anything in the Wireless Protection log that might alert me to a problem?



This thread was automatically locked due to age.
Parents
  • 0

    I had exactly the same thing happen last night. I was on my android phone and it said my home wifi was being attacked by a SSL split attack. I switched to our other network and had the same alert. 
    I downloaded a few different programs and did some checks and it said  they were all clear. Maybe McAfee had a glitch and went crazy. Either way ive changed alot of info now just in case. 

  • 0 in reply to simon st.ange

    Do you have https inspection enabled?  It is easy to imagine that they are using a form of certificate pinning to detect that UTM's CA certificate is not one that they recognize as trusted.  

    But they also may have deployed and retracted a bug.

  • 0 in reply to DouglasFoster

    Sorry i have no idea what that is. I had my modem with the basic settings from out of the box. Ive changed a few of the settings including wireless broadcast. Now you cant get onto the network unless you know the name and password. 

  • 0 in reply to DouglasFoster

    Yes transparent web filtering is enabled with HTTPS URL filtering.

    I have retested the scenario. McAfee WiFi security no longer reports an SSL Split attack, but ARP Guard detects "MAC address spoofing" on any network I connect to with BSSID Analysis enabled. Odd that both would have reported the attack earlier on any setting combination, but now only ARP Guard does. Not sure if this has to do with ARP guard reporting the BSSID MAC address as different than what the Sophos wireless security log shows.

    It could just be that the MAC address of the default gateway is different than the MAC address of the access point. I'm sure there's a simple explanation.

    I should try HTTPS decrypt and scan for now on. I followed the Sophos best practices tutorial for DNS. User portal is disabled, SSH is disabled, AP isolation is enabled, a secure 20+ character WPA2 AES passphrase is set. Not sure what else I (we) have to do to secure a network around here.

     

    Next we should try HTTPS decrypt and scan. My next step is to install Server 2012 in a VM and use it as a certificate authority or a radius server.

  • 0 in reply to alan weir

    I have seen an arp apoofing warning from McAfee on my phone, at church  when they had an initial webpage that forced you to acknowledge their usage terms.   Never called McAfee about itand now I use the Sophos phone protection instead.   I think your scenario is different.

    Sounds like you should askMcAfee how their product works.

Reply
  • 0 in reply to alan weir

    I have seen an arp apoofing warning from McAfee on my phone, at church  when they had an initial webpage that forced you to acknowledge their usage terms.   Never called McAfee about itand now I use the Sophos phone protection instead.   I think your scenario is different.

    Sounds like you should askMcAfee how their product works.

Children
Unfiltered HTML